GPSolo Magazine - January/February 2006

Muddy Waters: Spyware’s Legal and Ethical Implications

By Sharon D. Nelson and John W. Simek

Spyware has made the notion of peeping through keyholes wonderfully quaint. How much simpler it is to record your spouse’s/lover’s/significant other’s every keystroke and know for sure what they are up to without ever leaving the comfort of your computer station. Adultery is as old as time, but who would ever guess that cyber-adultery would be a commonplace phenomenon and often the genesis of divorce?

The legality of spyware is murky, at best. The courts have spoken of it only infrequently, so there is precious little guidance. How does a lawyer appropriately advise the client who wants to employ spyware, or who already has? How does a lawyer appropriately advise the client who believes that someone has used spyware to conduct surveillance on his or her computer usage? It is a dicey business and fraught with risk for lawyer and client alike.

Before plunging into the legality of spyware, let us attempt to set the stage.

What Constitutes Spyware?

No one quite agrees on a definition, but generally speaking, spyware is software (or, less frequently, hardware) installed on a computer without the target user’s knowledge and meant to monitor the user’s conduct. Most of the time, in domestic practice, the target is e-mail and chat room activities, but spyware can record everything the user does on the computer, including financial record keeping, the preparation in a word-processing program of letters to counsel, or the updating of business records. Some spyware is used to gather personal identifying information such as passwords, credit card numbers, and Social Security Numbers, all useful for those interested in fraud and identify theft. Some spyware programs will hijack your web browser, reset your home page, add toolbars, alter search results, or send pop-up ads that cannot be closed. Recently, many programs come with a re-installer—as soon as you attempt to remove the software, it reloads itself.

These days, there are so many spyware manufacturers that it is well nigh impossible to list them all. They have such names as ComputerGOD, Keyboard Cop, Spy-Agent, Looxee, Spector Pro, PC Spy, PAL KeyLogPro, and Ghost Keylogger. They have different features and have slightly different operating characteristics, but they are all intended to spy on someone else’s computer use—stealthily.

Many of the programs act like cameras, taking a picture of whatever is on the screen every few seconds. The picture playback is like a herky-jerky film from the 1920s. Many of the programs will send the log files of the activity to an e-mail address where the spy can play back the sessions.

There are also hardware keystroke loggers such as KeyKatcher, a small “dongle” (adaptor) that plugs in between the keyboard and the PC. It’s a modern-day “bug” with a memory capacity of 32K, 64K, or 128K, enough to store several weeks’ worth of typing, after which it can be removed and all the text downloaded onto another machine. The drawback, obviously, is that this requires that the person placing the KeyKatcher have continuing physical access to the machine. KeyKatcher is therefore commonly used by husbands and wives residing together.

How much does spyware cost? Not much: $30 to $100 is a common range, a cheap price for a thorough invasion of privacy. (For more about detecting and removing spyware from your own computer systems, see the sidebar “Cyber-Vermin” on page 20 and the article “Spyware: Exorcising the Demons” in the December 2005 issue of GPSolo, volume 22, number 8.)

Are There Anti-Spyware Laws?

As of October 2005, there was no federal anti-spyware law. In May 2005 the House of Representatives passed two bills designed to punish those who install spyware on people’s computers without their knowledge. After abandoning efforts to merge the two measures into a single bill, the House voted 395-1 to pass legislation that would send some spyware distributors to jail for up to five years and also voted 393-4 in favor of a separate bill that would impose heavy fines on people and companies that install spyware on people’s computers without their permission. The House passed two nearly identical bills in October 2004, but concerns in the Senate, including how best to punish spyware purveyors while protecting legitimate businesses, prevented passage.

One of the bills passed in 2005, known as the Spy Act, requires businesses to obtain permission before placing computer programs on people’s computers, an opt-in procedure. Technology companies generally prefer “opt-out” language, which allows consumers to request that programs not be uploaded to their computers, but which doesn’t force companies to ask permission every time. It would prohibit unauthorized software from changing a browser’s default home page, changing the security settings of a computer, logging keystrokes and activity, and delivering advertisements that the user can’t close without turning the machine off or ending all sessions of the browser. The bill also outlaws some of the most insidious practices associated with spyware, including many of the gimmicks used to trick people into installing the programs. Violators could be fined up to $3 million per violation. Many spyware functions would be defined as unfair business practices subject to Federal Trade Commission fines. The other 2005 bill, known as the Internet Spyware Prevention Act, has been less controversial. It focuses on some of the spyware distributors’ more overtly criminal activities and imposes jail terms of up to five years on those who use software to illegally gain access to a computer.

Nine states currently have legislation intended to prevent some kinds of spyware. As of October 2005, anti-spyware legislation is pending in 28 states. Our own state of Virginia has both a computer trespass and computer privacy statute, so spyware is a definite no-no here, even among spouses or partners using a joint family computer (it’s permissible to monitor your children). A quick scan of other states revealed similar laws in Kansas, Tennessee, Rhode Island, Washington, and North Carolina. Clearly, attorneys must be cognizant of the laws in their own jurisdiction.

How About Laws Not Specific to Spyware?

Herein lies many a trap into which a lawyer might unwittingly step. First, let us consider the federal laws:

The Electronic Communications Privacy Act of 1986 prohibits the interception and disclosure of wire and electronic communications. It also applies to those who use information they know or have reason to know was intercepted. You’d think this would be a slam dunk against spyware, but not so. The law is currently in flux, with decisions on both sides. The problem is that the law is old, and not written to accommodate current technology. One case being watched with interest is U.S. v. Councilman, in which a rare book dealer offered free e-mail hosting to clients. However, he copied their e-mails for the purpose of gaining a competitive advantage, watching over their correspondence with other book dealers. The lower court found that the e-mail had been in the computer’s memory and therefore were not technically intercepted. The First Circuit Court of Appeals reversed the decision, finding that the law did not require the case’s dismissal, but remanded the case for further proceedings consistent with its opinion. In short, no one knows precisely what the Wiretap Act means when it comes to e-mail.

The Stored Communications Act prohibits the unauthorized access of stored communications. So far, we have not seen any questions involving spyware and this act, although there is no reason why it would not apply. One interesting decision is Theofel v. Farey-Jones (341 F. 3d 978, 9th Cir. 2003), which held that a party serving overly broad subpoenas on an Internet service provider might violate both the Federal Stored Communications Act and the Computer Fraud and Abuse Act.

The Computer Fraud and Abuse Act prohibits a person from accessing a computer without authorization, or from exceeding authorized access and thereby obtaining certain governmental, financial, or consumer information. Clearly, spyware is often used for these purposes.

Because this area is indeed a sand trap, there are also a number of state laws that may apply. Some examples include:

computer privacy laws

wiretap laws

computer trespass laws

fraud laws

harassment laws

stalking laws

Some of these laws carry with them a clause excluding the admission of illegally obtained evidence. And some of them don’t. In the latter cases, it is generally held to be at the discretion of the trial court whether or not to admit the evidence, especially at the state level.

What Are Your Clients Up To?

Attorneys who do domestic relations work can answer this question easily. If you want to check out what your clients are reading online, just type “cheating spouse” in Google and prepare yourself for a slime bath. One typical site is www.chatcheaters.com, which contains real-life stories, ads for keystroke loggers, advice on how to catch cheaters, and even a directory of private investigators and lawyers. Most of the time, clients will have surfed all over the Net on this subject and purchased, installed, or used spyware before they ever consult an attorney. They will arrive in your office with printouts of e-mails that scorch your eyebrows as you read them. They are generally quite pleased with their resourcefulness and blissfully unaware that they may have broken a law. The common belief is that “the computer belongs to both of us so I can do anything I want.” When told they may have broken a law, they become ashen-faced and are stunned to think that the “guilty” party now may have a cause of action against the “victim.”

What else may your clients be up to? Not uncommonly these days, they may have installed a Global Positioning System (GPS) vehicle tracker to spy on a spouse’s movements. For instance, check out the GPS tracking devices offered at www.youarethespy.com/gps-tracking.htm.

Although the realm of domestic relations sees the greatest use of spyware, fast catching up is the use of spyware for business espionage. Those engaged in business espionage tend to hire professionals, so they are less likely to be caught. And even when the spies are caught, spyware incidents in the business world tend to be hushed up—businesses that find their secrets have been revealed via spyware do not want that fact becoming public knowledge. This is particularly true when spyware results in financial or personal information being compromised. Hence, the current push in Congress to demand that businesses come clean when such breaches occur, whether through spyware or direct network intrusions. It is noteworthy that a recent survey of systems administrators found that their number-one concern for 2005 was not phishing (10 percent), nor viruses (27 percent), but spyware.

Ethics and Spyware

Under the scope of representation rule (Rule 1.2), “a lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent.” You may, of course, discuss the subject of spyware with a client who might have used it or is considering using it, but only for the purpose of explaining its probable illegal nature. Although we have heard lawyers argue passionately that they do not believe spyware to be illegal, especially in particular states, we believe these attorneys are sorely mistaken and leaving themselves open to sanctions and disciplinary proceedings if they act upon their belief in counseling their clients.

Under Rule 1.6, a lawyer is released from the attorney-client privilege and may reveal, as the lawyer believes necessary, “such information which clearly establishes that the client has, in the course of the representation, perpetrated upon a third party a fraud related to the subject matter of the representation.”

The same rule requires that a lawyer promptly reveal “the intention of a client, as stated by the client, to commit a crime and the information necessary to prevent the crime, but before revealing such infor mation, the attorney shall, where feasible, advise the client of the possible legal consequences of the action, urge the client not to commit the crime, and advise the client that the attorney must reveal the client’s criminal intention unless thereupon abandoned, and, if the crime involves perjury by the client, that the attorney shall seek to withdraw as counsel.” Moreover, the attorney must promptly reveal “information which clearly establishes that the client has, in the course of the representation, perpetrated a fraud related to the subject matter of the representation upon a tribunal” (first asking the client to do so).

Rule 8.4 states unequivocally that it is professional misconduct for a lawyer to: (a) violate or attempt to violate the Rules of Professional Conduct, knowingly assist or induce another to do so, or do so through the acts of another; (b) commit a criminal or deliberately wrongful act that reflects adversely on the lawyer’s honesty, trustworthiness, or fitness to practice law; or (c) engage in conduct involving dishonesty, fraud, deceit, or misrepresentation that reflects adversely on the lawyer’s fitness to practice law.

Therefore, two things you may not do:

Continue to represent a client who uses spyware after receiving the attorney’s advice that use of such software is illegal.

Use illegally intercepted communications or information gleaned from unauthorized access to a computer.

One last point: The general rule is that someone who creates a password (outside of the work environment, where the employer has a right to monitor computer conduct) has created an expectation of privacy and denied authorized access to anyone (including a spouse) who has not been given the password.

What If Your Client Is a Spyware Victim?

How should you advise a client who thinks there may be spyware on his or her computer? If it sounds to you like the facts warrant it, you’ll want to have a forensic technologist find and document the spyware’s existence. This software is so squirrelly that the evidence a layperson can get, if any, is so fragmentary as to be worthless in court. Far better to let an expert find and document the spyware. In any event, you don’t want someone trampling all over the evidence, changing access dates. Sometimes, the expert’s advice will be to let the spyware continue operating briefly while a “sniffer” is employed to determine precisely where the information is going once it leaves the target network.

What If Your Client Is a Spyware Perpetrator?

How should you advise a client who is using spyware to monitor someone else’s computer activity? Tell the client to get it off. Now. No excuses. Even if you live in a state where the software may be legal, and many lawyers do not live in such states, odds are great that federal law will explicitly criminalize this behavior very soon (if it hasn’t already done so by the time you read this). Now that the Councilman decision has been overturned, even current federal laws against the interception of or unauthorized access to electronic communications may be held to apply to the use of spyware.

Be prepared for arguments, especially in domestic relations cases. Over and over again, we have to explain patiently that it doesn’t matter if the computer is owned jointly. In our state of Virginia, you may search a spouse’s car, briefcase, and wallet, but there is a specific statute that grants each individual a right of computer privacy. If that right is violated, the offender is subject to both criminal and civil penalties.

It is also a fact of life that many clients seem unable to “pull the plug” on their spying. The spying itself often becomes an addiction, and the perpetrator is unwilling or unable to break the addiction. It may be necessary to be quite forceful, stating unequivocally that you will have to withdraw from the case if possible criminal conduct continues.

In a number of instances, we have seen those who installed spyware on someone else’s computer religiously monitor correspondence between the victim and his or her attorney. Clearly, no attorney can have anything to do with such conduct under the disciplinary rules.

What of Evidence on a Marital Computer?

Don’t let your client try to find it with spyware. Wrong solution. And it will likely end up getting the client in trouble rather than the spouse who is actually engaging in bad conduct. The first thing you’ll want to do is have a forensic image made of the computer. This can be done without the spouse knowing—while he or she is at work or away on a business trip. Generally, if a computer is received in the morning, a forensic technologist can make and verify the image, returning the computer in the afternoon. At this point, at least you have a record. You will not want to authorize the technologist to analyze the image until a court order has been received, which will protect both attorney and client against any civil or criminal claim of computer trespass or invasion of computer privacy. If the court order is not a current possibility, and perhaps no divorce action is under way as yet, you still have a forensic image to examine when the time is right and you have the court’s imprimatur.

Final Words

As excruciatingly slow as Congress is, the outcry over spyware will probably lead to the passage of a federal law explicitly outlawing it. When that day comes, lawyers will have an easier time dealing with spyware cases. For now the best advice is to treat it as though it is illegal, even where some doubt exists. There are too many state and federal laws that spyware may violate to take chances with possible disciplinary proceedings or even malpractice suits. Spyware is clearly deceptive, at best. For the sake of professional reputation, never mind more dire consequences, it is imperative that lawyers take the higher road and avoid the stench of the spyware swamp.

Sharon D. Nelson and John W. Simek are, respectively, president and vice president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Virginia. They can be reached at sensei@senseient.com.